A
Athera

Data Processing Addendum

Last updated: 2026-02-15

This Data Processing Addendum ("DPA") forms part of the agreement between Athera ("Processor") and the client ("Controller") for the provision of the Athera platform services. This DPA applies to the processing of personal data by Athera on behalf of the client.

1. Scope of Processing

Athera processes personal data as necessary to provide unified inbox, AI agent, task management, and workflow automation services. Processing includes receiving, storing, analyzing, and transmitting messages and associated data across connected channels. The categories of data subjects include end customers, business users, and team members of the Controller.

2. Security Measures

Athera implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and multi-factor authentication
  • Regular security assessments and vulnerability testing
  • Logging and monitoring of system access and data processing activities
  • Employee training on data protection and information security

3. Subprocessors

Athera engages the following categories of subprocessors to deliver its services:

  • Twilio: Messaging middleware for WhatsApp, SMS, and voice delivery
  • Meta Platforms: WhatsApp Business API and Instagram Messaging API
  • Cloud hosting provider: Secure compute and storage infrastructure
  • AI model providers: Natural language processing and automated response generation
  • Analytics providers: Platform monitoring, logging, and performance analysis

4. Breach Notification

Athera will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.

5. Data Deletion

Upon termination of the service agreement or upon the Controller's written request, Athera will delete all personal data processed on behalf of the Controller within 90 days, unless retention is required by applicable law. Athera will provide written confirmation of data deletion upon request.

6. Audit Rights

The Controller has the right to audit Athera's compliance with this DPA. Athera will make available all information necessary to demonstrate compliance and allow for audits conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

7. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), Athera ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and compliance with GDPR Chapter V requirements for international data transfers.

8. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement between Athera and the Controller. The obligations regarding data protection, confidentiality, and data deletion shall survive the termination of this DPA.